Introduction

This OWASP initiative is intended for an executive audience and for application security program assessors. It contains a list of application security program weaknesses called the Common Program Weakness Enumeration (CPWE) that is intended to be built out over time, similar to MITRE's Common Weakness Enumeration (CWE) for software weaknesses. The CPWE spans topics having to do with both institutionalization of an application security program, and also systems development touch points. A CPWE use case is an organization having a SAMM (or a BSIMM, or a less formal assessment) done, and the findings are mapped to CPWE-ID. Mappings in this example would be done in a similar fashion as one can for example generally configure software vulnerability assessment tools to map software weakness findings to CWE (or e.g. OWASP Top Ten), so that one can compare apples to apples regardless of program assessment methodology.

Example: Below is a notional example of reporting findings from some SwA program assessment using CPWE:

Severe (3 Findings)
CPWE-3: Failure to Address Verification Findings For Application X <-- This is an instance of a finding of type CPWE-3
CPWE-3: Failure to Address Verification Findings For Application Y <-- This is another instance of a finding of type CPWE-3
CPWE-12: Insufficient Program Resources For Project Z <-- This is an instance of a finding of type CPWE-12High (xx Findings)
...
Moderate (xx Findings)Low (xx Findings)

Long-term goals for leveraging the CPWE potentially include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), similar to how the CWE/SANS Top 25 list is constructed using the CWE.

Contributor Instructions

First, thank you for considering contributing. Generally, I think for CPWE outlines we need at least the five sections as in the example (Insufficient Program Resources - (12)). I think we should make sure to cover not just BSIMM and SAMM, but NIST SP 800-64 (and actually make sure the SP is well-represented). I think CWPE text needs to be CWE-like (i.e. brief but consistent in presentation and level of detail), but also slightly bent towards an executive audience. I think CWPE consequences need to grouped into those two top-level buckets for sure, for clear alignment in that regard to CF Disclosure Guidance: Topic No. 2.

Next steps if you are interested would be to send a note to boberski_michael [at] bah.com for an assignment for further discussion on an item.